"Britain's spy agency GCHQ has secretly gained access to the network of cables which carry the world's phone calls and internet traffic and has started to process vast streams of sensitive personal information which it is sharing with its American partner, the National Security Agency. The sheer scale of the agency's ambition is reflected in the titles of its two principal components: Mastering the Internet and Global Telecoms Exploitation, aimed at scooping up as much online and telephone traffic as possible. This is all being carried out without any form of public acknowledgement or debate." Woah.

Ok we're cross talking here. Your talking about the root DNS zones, DNSSEC changes nothing in regards to how these zones are managed, I'm speaking strictly in terms of the cryptographic root signing keys for DNSSEC itself. The mathematical properties which allow PKI to provide immense scalability also make it imperative that the root keys must never be leaked, otherwise the entire chain of trust is broken.

If I had access to DNSSEC root signing key, I could then create a fictitious chain of trust stemming from root and conduct man an the middle attacks against all DNSSEC implementations which trust the official public keys, which will be all of them. I don't need physical access to the root namesevers to pull it off, just the ability to intercept and forge packets to the target who will trust my forgeries because my cryptographic signatures will be valid. *THIS* is what I'm talking about. I'm *NOT* talking about coercing zone administrators to change the zone, that's completely different from breaking the cryptographic chain of trust.